EP0935214B1 - Smart card with integrated circuit - Google Patents

Smart card with integrated circuit Download PDF

Info

Publication number
EP0935214B1
EP0935214B1 EP99200263A EP99200263A EP0935214B1 EP 0935214 B1 EP0935214 B1 EP 0935214B1 EP 99200263 A EP99200263 A EP 99200263A EP 99200263 A EP99200263 A EP 99200263A EP 0935214 B1 EP0935214 B1 EP 0935214B1
Authority
EP
European Patent Office
Prior art keywords
register
mode
registers
memory
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP99200263A
Other languages
German (de)
French (fr)
Other versions
EP0935214A3 (en
EP0935214A2 (en
Inventor
Thorwald Rabeler
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NXP BV
Original Assignee
NXP BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NXP BV filed Critical NXP BV
Publication of EP0935214A2 publication Critical patent/EP0935214A2/en
Publication of EP0935214A3 publication Critical patent/EP0935214A3/en
Application granted granted Critical
Publication of EP0935214B1 publication Critical patent/EP0935214B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/357Cards having a plurality of specified features
    • G06Q20/3576Multiple memory zones on card

Definitions

  • the invention relates to a chip card with an integrated circuit containing a control unit in the form of a microprocessor and memory.
  • smart cards are well known and used for various purposes.
  • check cards are used for purposes that contain safety-related information on the card. This is the case, for example, with bank cards in which credit or credit lines are located on the check card, as well as personal secret numbers, or in the case of patient cards on which confidential information about the patient is to be read out, for example, only after entering a personal secret number.
  • such cards are used as access control for certain rooms or buildings. In all cases, it should be prevented that secret data can be read out of the card by means of fraudulent manipulation or that data on the card can be changed in an undesired way.
  • a chip card with microprocessor and memory in which an illegal, i. unwanted access to data in the card for reading or changing with the greatest possible security is prevented.
  • a decoupled from the actual microprocessor circuit protection circuit is provided which monitors each addressed addresses.
  • the object of the invention is to provide a chip card with microprocessor and memory, can be dispensed with on the additional protection circuit, but still an inadmissible access to data is prevented.
  • the blocking of memory locations or the release of certain memory areas for each user program is achieved in a simple manner that the memory is divided into certain areas, which also with Segments or pages are called, and different user programs are then expediently assigned to different segments.
  • the segments are determined by the content of one or more corresponding registers, which can only be changed in system mode. As a result, memory areas of various user programs are safely separated from each other.
  • access to only a portion of this segment may be enabled by providing additional registers for an indication of a boundary address within a segment.
  • Each address i.e. the lower order bits are automatically compared to the contents of such a register.
  • bit group is provided, preferably in the segment register, the value of which is written into the memory location together with the written-in data. During read-out, it is then checked whether the content of the corresponding area of the memory location matches this bit group. If this is not the case, reading is disabled.
  • a user program in user mode is to access a register or a memory location that is not permitted in this user program, instead of a special system message, only a value corresponding to an empty memory cell can be output, ie not after the card has been produced has been described. In this way, a fraudulent user can not tell if he really wanted to access an empty space or a locked space. In addition, such a value corresponds to an unconditional jump in the system mode.
  • registers that can only be changed in system mode.
  • These registers form at least part of the registers for special functions, the so-called SF registers.
  • These registers are interconnected via an in-register bus.
  • this internal register bus has an interface to the internal data bus, via which data can be written from the data bus to the registers or read from the registers to the data bus.
  • this register bus is now divided by a switch that is closed only in system mode. This is a very easy way to lock the corresponding registers and indirectly also all inaccessible memory locations.
  • the Fig. 1 schematically shows the essential parts of the invention for a microprocessor.
  • a program counter 10 is connected, which can be set via the data bus to a specific address and otherwise autonomously continues counting.
  • the necessary control signals are with the program counter as well in the other elements in this figure and in the other figures for clarity, not shown individually.
  • the program counter 10 delivers its contents to a memory management unit MMU 14, which supplies a memory 20 with address and control signals via a connection 15.
  • This memory 20 expediently consists of several memory units, namely in particular a ROM for the system program or essential parts thereof, a writable EEPROM for user programs and certain fixed data such as secret numbers and a volatile RAM, in particular for storing intermediate results in individual processing steps.
  • the selection of the individual memory is done by control signals via the connection 15. Via a connection 29 data read out from addressed memory locations is output or fed into writable memory locations data to be written.
  • the MMU 14 is also directly connected to the bus 11 to supply data from the bus 11 to the memory 20 as addresses.
  • the MMU 14 is connected to registers 18, which are shown here in simplified form as a block and which contain information about which memory unit is to be selected in the memory 20 and, in addition, which memory area or address area in the selected memory unit is addressed.
  • the EEPROM memory unit is divided into areas, which are generally referred to as segments or pages. Each user program is assigned one or more specific segments for program information and data that are defined when the relevant user program is written. These assignments can only be changed by the system program, as will be explained later.
  • An arithmetic logic unit ALU12 is connected to an input to the bus 11.
  • the internal structure of this unit which includes in particular a computing unit and an accumulator and other registers, is known per se and therefore not shown here.
  • the results of this unit 12 are returned to the bus 11 again.
  • some signals that occur when performing calculations such as carry signals, overflow messages, or null values, are fed via a link 13 to a register 26 which contains part of the so-called program status word.
  • the second part of the program status word is contained in a register 28.
  • registers 24 are provided, which can be loaded via a connection 25 from outside the microprocessor or to outside data can give.
  • the registers 18, 28 and 24 are interconnected via a special bus 23 which leads to a connection unit 30. To this bus 23 further registers may be connected, as indicated by the dashed line to the connection unit 30.
  • the connection unit 30 is further connected to an internal bus 21, which leads to the register 26 for the one part of the program status word and to a coupling unit 22, which connects this bus 21 to the bus 11 with appropriate control via control lines not separately shown.
  • the buses 21 and 23 represent the usual in microprocessors internal bus for the registers for special functions. These two parts form a single bus, when the connection unit 30 connects by driving via the line 27, the two bus parts.
  • the control line 27 is connected to a certain part of the register 28 which contains a mode bit.
  • the value of this bit determines if the microprocessor is operating in system or user mode.
  • the connection unit 30 is driven to connect both bus parts 21 and 23 with each other, so that then a uniform bus is prepared, over which all registers for special functions, such as the illustrated registers 18, 24, 26 and 28 and optionally further, not shown registers are interconnected. In system mode, all registers can be accessed.
  • the connection unit 30 is actuated by the corresponding other value of the mode bit via the control line 27 in order to separate the two bus parts 21 and 23. Now, the registers 18, 28 and 24 as well as other registers connected to the bus 23 can no longer be accessed, neither for writing nor for reading only.
  • the transition from user mode to system mode is done by a special jump instruction which switches the mode bit in register 28 to system mode.
  • the beginning of the system program is called, the essential content of which is fixed unchangeable.
  • the register 18 can be changed in order to be able to address other memory units or other segments in a memory unit in the subsequent user program.
  • the mode bit is switched back in register 28, and thus the connection to the bus 23 is interrupted again via the control line 27 in the connection unit 30, so that then no access to the registers connected thereto is possible.
  • connection unit 30 In Fig. 2 the structure of the connection unit 30 is shown in somewhat more detail.
  • the switches 302 and 304 are driven together via the control line 27.
  • the connection In the in Fig. 2 In the illustrated position of the switches 302 and 304, the connection is broken and data is transmitted to the bus 21 coming from a fixed data line 306.
  • this data value corresponds to the value of the jump instruction that jumps into system mode. So if in a user program prohibited Thus, if a non-permitted register is to be accessed, a value corresponding to the branch instruction is read out. If this value is to be interpreted as a command, such a forbidden access always takes place in the system mode, in which only specified command sequences that can not be changed by a user are executed.
  • connection to the bus 11 leads to an address calculator 140, where the data from the bus 11 as an address with a via the connection 19 from the register 18 in Fig. 1 coming address part of higher significance and output via the connection 141.
  • the connection 141 leads to a blocking unit 144 and a comparator 142.
  • a second input of the comparator 142 is connected to the output of a register 32, which is also connected as a register for special functions to the bus 23, which is accessible only in system mode and can be loaded in this system mode with a value for an address boundary.
  • This address boundary is compared with preferably parts of the address on the connection 141, and if the address is within the predetermined limit, the blocking unit 144 is enabled by the comparator 142 via the line 141 and the address via the connection 15 to the memory 20 in Fig. 1 fed. In this way, in the user mode, access to a part of a segment associated with the relevant user program can be blocked.
  • Fig. 4 Another safeguard against access to unauthorized data is in Fig. 4 shown schematically. If out of the memory 20 in Fig. 1 the contents of a memory location are read out and the corresponding data are output via the connection 29, these are supplied to a comparator 42 and a further blocking unit 40.
  • the comparator 42 receives at a further input data from the register 18, which has been loaded via the bus 23.
  • the comparator 42 checks certain parts of the data word on the connection 29 for equality with the data supplied by the register 18. Only if equality is over the line 43 the blocking unit 40 is enabled and the data is delivered on the connection 45. These data are written in response to corresponding control signals on control lines not separately shown in a data register 44 which supplies these data to the bus 11, or in command register 46, which supplies this data as a command to a command decoder, not shown.
  • Fig. 5 symbolically the division into a protected system part 50 and an unprotected user part 60 is shown.
  • the user part 60 access to a stack memory 62 and the program counter 64 is released.
  • one half of the program status word register 59 is available to this user part.
  • the other part of this register 59 is only available to the system part 50.
  • system stack 570, 571 can be accessed via register 57, as well as via an interface 52 to the special function register bus 52, such as write enable memory register 56 and general access register 55 Memory and the register 54 for input / output operations and a register 53 for a coprocessor, which is preferably arranged on the same chip.
  • registers may be other such registers, not shown.
  • the system area 50 with the access possibilities to the units indicated therein is only possible if the mode bit is set. In the user area, access to the units 62 and 64 shown therein is possible, but not to the units shown in the system area 50.
  • Section 71 contains the mode bit.
  • Section 72 contains a bit that can be used to check the program sequence, which is especially important when creating programs.
  • the content of section 73 is for register selection.
  • the contents of section 74 mask interrupt requests.
  • the part after the double stroke is also readable and changeable in user mode and contains two sections 75 and 76, in which carry signals stored in the ALU12 in FIG Fig. 1 arise.
  • the section 77 can be largely defined freely by the user program.
  • the message is stored that in the ALU12 in Fig. 1 an overflow has occurred.
  • Section 79 indicates that a negative result has occurred in the ALU 12, and section 80 indicates that the value zero has arisen in the calculation. Since this only signals the ALU12 in Fig. 1 are, the access to these areas must also be possible in user mode.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Description

Die Erfindung betrifft eine Chipkarte mit einer integrierten Schaltung, die eine Steuereinheit in Form eines Mikroprozessors und Speicher enthält. Derartige Chipkarten sind allgemein bekannt und werden für verschiedene Zwecke verwendet. In häufigen Fällen werden solche Scheckkarten für Zwecke verwendet, in denen sich auf der Karte sicherheitsrelevante Informationen befinden. Dies ist beispielsweise der Fall bei Bankkarten, bei denen sich auf der Scheckkarte Guthaben oder Kreditlinien befinden sowie persönliche Geheimzahlen, oder bei Patientenkarten, auf denen sich vertrauliche Informationen über den Patienten befinden, die beispielsweise nur nach Eingabe einer persönlichen Geheimnummer auslesbar sein sollen. Ferner werden solche Karten als Zugangskontrolle für bestimmte Räume oder Gebäude verwendet. In allen Fällen soll verhindert werden, daß durch betrügerische Manipulationen geheime Daten aus der Karte ausgelesen werden können oder daß Daten auf der Karte in unerwünschter Weise verändert werden können.The invention relates to a chip card with an integrated circuit containing a control unit in the form of a microprocessor and memory. Such smart cards are well known and used for various purposes. In many cases, such check cards are used for purposes that contain safety-related information on the card. This is the case, for example, with bank cards in which credit or credit lines are located on the check card, as well as personal secret numbers, or in the case of patient cards on which confidential information about the patient is to be read out, for example, only after entering a personal secret number. Furthermore, such cards are used as access control for certain rooms or buildings. In all cases, it should be prevented that secret data can be read out of the card by means of fraudulent manipulation or that data on the card can be changed in an undesired way.

EP-A-0 512 542 offenbart EP-A-0 512 542 disclosed

, eine Chipkarte mit Mikroprozessor und Speicher, bei der ein unzulässiger, d.h. nicht gewünschter Zugriff auf Daten in der Karte zum Auslesen oder Verändern mit möglichst großer Sicherheit verhindert wird. Dabei ist eine von der eigentlichen Mikroprozessorschaltung entkoppelte Schutzschaltung vorgesehen, die jeweils angesprochenen Adressen überwacht., a chip card with microprocessor and memory, in which an illegal, i. unwanted access to data in the card for reading or changing with the greatest possible security is prevented. In this case, a decoupled from the actual microprocessor circuit protection circuit is provided which monitors each addressed addresses.

Aufgabe der Erfindung ist es eine Chipkarte mit Mikroprozessor und Speicher anzugeben, bei der auf der additionellen Schutzschaltung verzichtet werden kann, aber trotzdem ein unzulässiger Zugriff auf Daten verhindert wird.The object of the invention is to provide a chip card with microprocessor and memory, can be dispensed with on the additional protection circuit, but still an inadmissible access to data is prevented.

Diese Aufgabe wird erfindungsgemäß durch den kennzeichnenden Teil des Anspruchs 1 gelöst. Dadurch ist der Zugriff auf alle solchen Register und Speicher, in denen sich sicherheitsrelevante Informationen befinden, nur im System-Mode möglich. Der System-Mode arbeitet mit einem fest gespeicherten Programm, das selbstverständlich ebenfalls von außerhalb weder auslesbar noch veränderbar ist. Dieses Programm ist unabhängig von den jeweiligen Anwendungsfällen.This object is achieved by the characterizing part of claim 1. Thereby is the access to all such registers and memory, in which safety-related information is located, only possible in system mode. The system mode works with a permanently stored program, which of course can not be read or changed from outside. This program is independent of the respective applications.

Dies hat den Vorteil, daß ein solches System-Programm nur einmal auf seine sicherheitsrelevanten Funktionen geprüft und freigegeben werden muß. Die Anwenderprogramme, die von den entsprechenden Institutionen wie Banken oder Krankenkassen erstellt und auf die Karte gebracht werden, brauchen dann nicht besonders geprüft zu werden. Jeder Zugriff auf geheime Daten im Rahmen eines Anwenderprogramms erfolgt ausschließlich über das System-Programm. Dies ist besonders wichtig auch für Chipkarten, die mehr als einer Anwendung dienen. Durch das System-Programm wird sichergestellt, daß alle verschiedenen Anwenderprogramme eindeutig und zuverlässig voneinander getrennt sind und nicht von einem Anwenderprogramm auf ein anderes bzw. auf darin verwendete Daten zugegriffen werden kann.This has the advantage that such a system program must be checked and released only once on its safety-related functions. The user programs, which are created and put on the map by the appropriate institutions, such as banks or health insurances, then need not be specially examined. Any access to secret data in the context of a user program is carried out exclusively via the system program. This is especially important for smart cards that serve more than one application. The system program ensures that all the different user programs are unambiguously and reliably separated from each other and that one user program can not access another or the data used therein.

Zum Zugriff auf geheime Daten, die in einem Anwenderprogramm rechtmäßig verwendet werden sollen, wird stets ein bestimmter Sprung in das System-Programm ausgelöst, der das Mode-Bit umschaltet. Im System-Mode sind alle Register und alle Speicherplätze zugänglich. Andererseits kann im System-Mode aber genau geprüft werden, ob der gewünschte Zugriff tatsächlich zulässig ist. Diese Prüfung kann auch durch einen betrügerischen Benutzer nicht ausgeschaltet werden. Einen Zugriff auf geheime Daten ist auch jede Eingabe- und Ausgabeoperation von Daten gleichgestellt.To access secret data that is to be legitimately used in a user program, a certain jump is always triggered into the system program, which switches the mode bit. In system mode, all registers and all memory locations are accessible. On the other hand, it can be checked in the system mode, whether the desired access is actually allowed. This check can not be disabled by a fraudulent user. An access to secret data is also equal to every input and output operation of data.

Die Sperrung von Speicherplätzen bzw. die Freigabe bestimmter Speicherplatzbereiche für jeweils ein Anwenderprogramm wird auf einfache Weise dadurch erreicht, daß der Speicher in bestimmte Bereiche unterteilt ist, die auch mit Segmenten oder Seiten bezeichnet werden, und unterschiedlichen Anwenderprogrammen sind dann zweckmäßig auch unterschiedliche Segmente zugeordnet. Die Segmente werden durch den Inhalt eines bzw. mehrerer entsprechende Register bestimmt, die nur im System-Mode veränderbar sind. Dadurch sind Speicherbereiche verschiedener Anwenderprogramme sicher gegeneinander abgegrenzt.The blocking of memory locations or the release of certain memory areas for each user program is achieved in a simple manner that the memory is divided into certain areas, which also with Segments or pages are called, and different user programs are then expediently assigned to different segments. The segments are determined by the content of one or more corresponding registers, which can only be changed in system mode. As a result, memory areas of various user programs are safely separated from each other.

Zusätzlich kann innerhalb eines Segments der Zugriff auf nur einen Teil dieses Segments freigegeben werden, indem zusätzliche Register für eine Angabe einer Grenzadresse innerhalb eines Segments vorgesehen werden. Jede Adresse, d.h. die Bits geringerer Wertigkeit, werden automatisch mit dem Inhalt eines solchen Registers verglichen. Auch diese Register können nur im System-Mode gelesen und überschrieben werden.In addition, within a segment, access to only a portion of this segment may be enabled by providing additional registers for an indication of a boundary address within a segment. Each address, i.e. the lower order bits are automatically compared to the contents of such a register. These registers can only be read and overwritten in system mode.

Ferner ist, vorzugsweise im Segmentregister, eine Bitgruppe vorgesehen, deren Wert zusammen mit eingeschriebenen Daten in den Speicherplatz mit eingeschrieben wird. Beim Auslesen wird dann geprüft, ob der Inhalt des entsprechenden Bereichs der Speicherstelle mit dieser Bitgruppe übereinstimmt. Falls dies nicht der Fall ist, wird das Auslesen gesperrt.Furthermore, a bit group is provided, preferably in the segment register, the value of which is written into the memory location together with the written-in data. During read-out, it is then checked whether the content of the corresponding area of the memory location matches this bit group. If this is not the case, reading is disabled.

Wenn von einem Benutzerprogramm im Benutzer-Mode auf ein Register oder einen Speicherplatz zugegriffen werden soll, der in diesem Benutzerprogramm nicht zulässig ist, kann anstelle einer besonderen Systemmeldung nur ein Wert ausgegeben werden, der einer leeren Speicherzelle entspricht, die also nach Herstellung der Karte nicht beschrieben worden ist. Auf diese Weise kann ein betrügerischer Benutzer nicht erkennen, ob er tatsächlich auf einen leeren Speicherplatz oder auf einen gesperrten Speicherplatz zugreifen wollte. Außerdem entspricht ein solcher Wert einem unbedingten Sprung in den System-Mode.If a user program in user mode is to access a register or a memory location that is not permitted in this user program, instead of a special system message, only a value corresponding to an empty memory cell can be output, ie not after the card has been produced has been described. In this way, a fraudulent user can not tell if he really wanted to access an empty space or a locked space. In addition, such a value corresponds to an unconditional jump in the system mode.

Die Sperrung aller nicht zugelassenen Speicherbereiche erfolgt also über Register, die nur im System-Mode veränderbar sind. Diese Register bilden wenigstens einen Teil der Register für spezielle Funktionen, der sogenanten SF-Register. Diese Register sind über einen registerinternen Bus miteinander verbunden. Außerdem hat dieser interne Registerbus eine Schnittstelle zum internen Datenbus, über die Daten vom Datenbus in die Register eingeschrieben oder aus den Registern zum Datenbus ausgelesen werden können. Zweckmäßig wird nun dieser Registerbus durch einen Schalter unterteilt, der nur im System-Mode geschlossen ist. Dies ist eine sehr einfache Möglichkeit, die entsprechenden Register und indirekt damit auch alle nicht zugänglichen Speicherplätze zu sperren.The blocking of all unauthorized memory areas thus takes place via registers that can only be changed in system mode. These registers form at least part of the registers for special functions, the so-called SF registers. These registers are interconnected via an in-register bus. In addition, this internal register bus has an interface to the internal data bus, via which data can be written from the data bus to the registers or read from the registers to the data bus. Appropriately, this register bus is now divided by a switch that is closed only in system mode. This is a very easy way to lock the corresponding registers and indirectly also all inaccessible memory locations.

Ausführungsbeispiele der Erfindung werden nachfolgend anhand der Zeichnung erläutert. Es zeigen:

  • Fig. 1 ein Blockschaltbild der wichtigsten Teile eines Mikroprozessors für eine Chipkarte,
  • Fig. 2 den genaueren Aufbau eines Details daraus,
  • Fig. 3 ein Blockschaltbild für die Überprüfung von Adreßgrenzen,
  • Fig. 4 ein Blockschaltbild für die Prüfung des Inhalts von Speicherplätzen,
  • Fig. 5 eine symbolische Darstellung der Unterteilung zwischen geschütztem SystemBereich und ungeschütztem Benutzer-Bereich,
  • Fig. 6 ein Beispiel für den Aufbau eines Programmstatusworts in zwei getrennten Registern.
Embodiments of the invention are explained below with reference to the drawing. Show it:
  • Fig. 1 a block diagram of the most important parts of a microprocessor for a smart card,
  • Fig. 2 the more detailed construction of a detail from it,
  • Fig. 3 a block diagram for checking address boundaries,
  • Fig. 4 a block diagram for checking the contents of memory locations,
  • Fig. 5 a symbolic representation of the division between the protected system area and the unprotected user area,
  • Fig. 6 an example of building a program status word in two separate registers.

Die Fig. 1 zeigt schematisch die für die Erfindung wesentlichen Teile eines Mikroprozessors. An einen internen Bus 11, der eine Anzahl Daten- und Steuerleitungen umfaßt, ist ein Programmzähler 10 angeschlossen, der über den Datenbus auf eine bestimmte Adresse gesetzt werden kann und im übrigen autonom weiterzählt. Die dafür notwendigen Steuersignale sind beim Programmzähler sowie bei den übrigen Elementen in dieser Figur sowie in den anderen Figuren der Übersichtlichkeit halber nicht einzeln dargestellt.The Fig. 1 schematically shows the essential parts of the invention for a microprocessor. To an internal bus 11, which includes a number of data and control lines, a program counter 10 is connected, which can be set via the data bus to a specific address and otherwise autonomously continues counting. The necessary control signals are with the program counter as well in the other elements in this figure and in the other figures for clarity, not shown individually.

Der Programmzähler 10 liefert seinen Inhalt an eine Speicherverwaltungseinheit MMU 14, die über eine Verbindung 15 einen Speicher 20 mit Adressen- und Steuersignalen versorgt. Dieser Speicher 20 besteht zweckmäßig aus mehreren Speichereinheiten, nämlich insbesondere einem ROM für das Systemprogramm bzw. wesentliche Teile davon, einem beschreibbaren EEPROM für Anwenderprogramme und bestimmte feste Daten wie Geheimnummern sowie aus einem flüchtigen RAM insbesondere zur Speicherung von Zwischenergebnissen bei einzelnen Verarbeitungsschritten. Die Auswahl der einzelnen Speicher geschieht durch Steuersignale über die Verbindung 15. Über eine Verbindung 29 werden aus adressierten Speicherplätzen ausgelesene Daten abgegeben bzw. in beschreibbare Speicherplätze einzuschreibende Daten zugeführt.The program counter 10 delivers its contents to a memory management unit MMU 14, which supplies a memory 20 with address and control signals via a connection 15. This memory 20 expediently consists of several memory units, namely in particular a ROM for the system program or essential parts thereof, a writable EEPROM for user programs and certain fixed data such as secret numbers and a volatile RAM, in particular for storing intermediate results in individual processing steps. The selection of the individual memory is done by control signals via the connection 15. Via a connection 29 data read out from addressed memory locations is output or fed into writable memory locations data to be written.

Die MMU14 ist ferner direkt mit dem Bus 11 verbunden, um Daten vom Bus 11 als Adressen dem Speicher 20 zuzuführen. Außerdem ist die MMU14 mit Registern 18 verbunden, die hier vereinfacht als ein Block dargestellt sind und die Angaben enthalten, welche Speichereinheit im Speicher 20 auszuwählen ist und zusätzlich, welcher Speicherbereich bzw. Adreßbereich in der ausgewählten Speichereinheit angesprochen wird. Dazu ist insbesondere die EEPROM-Speichereinheit in Bereiche unterteilt, die allgemein als Segmente oder Seiten bezeichnet werden. Jedem Anwenderprogramm werden ein oder mehrere bestimmte Segmente für Programminformationen und Daten zugeordnet, die beim Einschreiben des betreffenden Anwenderprogramms festgelegt werden. Diese Zuordnungen können lediglich durch das Systemprogramm verändert werden, wie spätert erläutert wird.The MMU 14 is also directly connected to the bus 11 to supply data from the bus 11 to the memory 20 as addresses. In addition, the MMU 14 is connected to registers 18, which are shown here in simplified form as a block and which contain information about which memory unit is to be selected in the memory 20 and, in addition, which memory area or address area in the selected memory unit is addressed. For this purpose, in particular the EEPROM memory unit is divided into areas, which are generally referred to as segments or pages. Each user program is assigned one or more specific segments for program information and data that are defined when the relevant user program is written. These assignments can only be changed by the system program, as will be explained later.

Eine arithmetisch-logische Einheit ALU12 ist mit einem Eingang mit dem Bus 11 verbunden. Der interne Aufbau dieser Einheit, der insbesondere eine Recheneinheit und einen Akkumulator sowie weitere Register umfaßt, ist an sich bekannt und daher hier nicht weiter dargestellt. Die Rechenergebnisse dieser Einheit 12 werden wieder auf den Bus 11 zurückgeführt. Außerdem werden einige Signale, die bei der Durchführung von Berechnungen auftreten, wie Übertragssignale, Überlaufmeldungen oder Null-Werte, über eine Verbindung 13 einem Register 26 zugeführt, das einen Teil des sogenannten Programmstatusworts enthält. Der zweite Teil des Programmstatusworts ist in einem Register 28 enthalten.An arithmetic logic unit ALU12 is connected to an input to the bus 11. The internal structure of this unit, which includes in particular a computing unit and an accumulator and other registers, is known per se and therefore not shown here. The results of this unit 12 are returned to the bus 11 again. In addition, some signals that occur when performing calculations, such as carry signals, overflow messages, or null values, are fed via a link 13 to a register 26 which contains part of the so-called program status word. The second part of the program status word is contained in a register 28.

Für die Eingabe oder Ausgabe von Daten, beispielsweise von außerhalb der Chipkarte oder von einem Koprozessor in der Chipkarte bzw. auf demselben Chip wie der Mikroprozessor, sind Register 24 vorgesehen, die über eine Verbindung 25 von außerhalb des Mikroprozessors geladen werden können oder nach außerhalb Daten abgeben können.For the input or output of data, for example from outside the smart card or from a coprocessor in the chip card or on the same chip as the microprocessor, registers 24 are provided, which can be loaded via a connection 25 from outside the microprocessor or to outside data can give.

Die Register 18, 28 und 24 sind über einen speziellen Bus 23 miteinander verbunden, der auf eine Verbindungseinheit 30 führt. An diesen Bus 23 können noch weitere Register angeschlossen sein, wie durch die gestrichelte Linie zur Verbindungseinheit 30 angedeutet ist. Die Verbindungseinheit 30 ist ferner mit einem internen Bus 21 verbunden, der auf das Register 26 für den einen Teil des Programmstatusworts sowie auf eine Koppeleinheit 22 führt, die diesen Bus 21 mit dem Bus 11 bei entsprechender Ansteuerung über nicht gesondert dargestellte Steuerleitungen verbindet. Die Busse 21 und 23 stellen den in Mikroprozessoren üblichen internen Bus für die Register für spezielle Funktionen dar. Diese beiden Teile bilden einen einheitlichen Bus, wenn die Verbindungseinheit 30 durch Ansteuerung über die Leitung 27 die beiden Busteile verbindet.The registers 18, 28 and 24 are interconnected via a special bus 23 which leads to a connection unit 30. To this bus 23 further registers may be connected, as indicated by the dashed line to the connection unit 30. The connection unit 30 is further connected to an internal bus 21, which leads to the register 26 for the one part of the program status word and to a coupling unit 22, which connects this bus 21 to the bus 11 with appropriate control via control lines not separately shown. The buses 21 and 23 represent the usual in microprocessors internal bus for the registers for special functions. These two parts form a single bus, when the connection unit 30 connects by driving via the line 27, the two bus parts.

Die Steuerleitung 27 ist mit einem bestimmten Teil des Registers 28 verbunden, der ein Mode-Bit enthält. Der Wert dieses Bits bestimmt, ob der Mikroprozessor im System-Mode oder im Benutzer-Mode arbeitet. Wenn der Wert dieses Bits den System-Mode angibt, wird die Verbindungseinheit 30 angesteuert, um beide Busteile 21 und 23 miteinander zu verbinden, so daß dann ein einheitlicher Bus hergestellt wird, über den alle Register für spezielle Funktionen, wie die dargestellten Register 18, 24, 26 und 28 sowie gegebenenfalls weitere, nicht dargestellte Register miteinander verbunden sind. Im System-Mode kann also auf alle Register zugegriffen werden. Im Benutzer-Mode wird durch den entsprechenden anderen Wert des Mode-Bits über die Steuerleitung 27 die Verbindungseinheit 30 angesteuert, um die beiden Busteile 21 und 23 zu trennen. Nun kann nicht mehr auf die Register 18, 28 und 24 sowie weitere am Bus 23 angeschlossene Register zugegriffen werden, und zwar weder zum Schreiben noch auch nur zum Lesen.The control line 27 is connected to a certain part of the register 28 which contains a mode bit. The value of this bit determines if the microprocessor is operating in system or user mode. When the value of this bit indicates the system mode, the connection unit 30 is driven to connect both bus parts 21 and 23 with each other, so that then a uniform bus is prepared, over which all registers for special functions, such as the illustrated registers 18, 24, 26 and 28 and optionally further, not shown registers are interconnected. In system mode, all registers can be accessed. In user mode, the connection unit 30 is actuated by the corresponding other value of the mode bit via the control line 27 in order to separate the two bus parts 21 and 23. Now, the registers 18, 28 and 24 as well as other registers connected to the bus 23 can no longer be accessed, neither for writing nor for reading only.

Der Übergang vom Benutzer-Mode in den System-Mode geschieht durch einen besonderen Sprungbefehl, durch den das Mode-Bit im Register 28 auf den System-Mode umgeschaltet wird. Gleichzeitig wird der Anfang des System-Programms aufgerufen, dessen wesentlicher Inhalt unveränderlich festgelegt ist. Im System-Programm kann beispielsweise das Register 18 verändert werden, um andere Speichereinheiten oder andere Segmente in einer Speichereinheit im nachfolgenden Anwenderprogramm adressieren zu können. Am Schluß des System-Programms wird im Register 28 das Mode-Bit wieder zurückgeschaltet, und damit wird über die Steuerleitung 27 in der Verbindungseinheit 30 wieder die Verbindung zum Bus 23 unterbrochen, so daß dann kein Zugriff auf die daran angeschlossenen Register möglich ist.The transition from user mode to system mode is done by a special jump instruction which switches the mode bit in register 28 to system mode. At the same time the beginning of the system program is called, the essential content of which is fixed unchangeable. In the system program, for example, the register 18 can be changed in order to be able to address other memory units or other segments in a memory unit in the subsequent user program. At the end of the system program, the mode bit is switched back in register 28, and thus the connection to the bus 23 is interrupted again via the control line 27 in the connection unit 30, so that then no access to the registers connected thereto is possible.

In Fig. 2 ist der Aufbau der Verbindungseinheit 30 etwas detaillierter dargestellt. Die Übertragung von Daten vom Bus 21 zum Bus 23 erfolgt über einen Schalter 302, während die vom Bus 23 zum Bus 21 zu übertragenden Daten über einen Schalter 304 führen. Die Schalter 302 und 304 werden gemeinsam über die Steuerleitung 27 angesteuert. In der in Fig. 2 dargestellten Stellung der Schalter 302 und 304 ist die Verbindung unterbrochen, und zum Bus 21 werden Daten übertragen, die von einer Leitung 306 mit festem Datenwert kommen. Dieser Datenwert entspricht beispielsweise dem Wert des Sprungbefehls, mit dem in den System-Mode gesprungen wird. Wenn also in einem Benutzerprogramm verbotener Weise auf ein nicht zugelassenes Register zugegriffen werden soll, wird also ein Wert entsprechend dem Sprungbefehl ausgelesen. Wenn dieser Wert als Befehl interpretiert werden soll, erfolgt bei einem solchen verbotenen Zugriff also immer ein Sprung in den System-Mode, in dem nur festgelegte, von einem Benutzer nicht veränderbare Befehlsfolgen ablaufen.In Fig. 2 the structure of the connection unit 30 is shown in somewhat more detail. The transfer of data from the bus 21 to the bus 23 via a switch 302, while the data to be transmitted from the bus 23 to the bus 21 via a switch 304. The switches 302 and 304 are driven together via the control line 27. In the in Fig. 2 In the illustrated position of the switches 302 and 304, the connection is broken and data is transmitted to the bus 21 coming from a fixed data line 306. For example, this data value corresponds to the value of the jump instruction that jumps into system mode. So if in a user program prohibited Thus, if a non-permitted register is to be accessed, a value corresponding to the branch instruction is read out. If this value is to be interpreted as a command, such a forbidden access always takes place in the system mode, in which only specified command sequences that can not be changed by a user are executed.

In Fig 3 sind einige Teile der MMU14 näher dargestellt. Die Verbindung zum Bus 11 führt auf einen Adreßrechner 140, wo die Daten vom Bus 11 als Adresse mit einem über die Verbindung 19 vom Register 18 in Fig. 1 kommenden Adreßteil höherer Wertigkeit verknüpft und über die Verbindung 141 ausgegeben werden. Die Verbindung 141 führt auf eine Blockiereinheit 144 und einen Vergleicher 142. Ein zweiter Eingang des Vergleichers 142 ist mit dem Ausgang eines Registers 32 verbunden, das ebenfalls als Register für spezielle Funktionen mit dem Bus 23 verbunden ist, der nur im System-Mode zugänglich ist und in diesem System-Mode mit einem Wert für eine Adreß-Grenze geladen werden kann. Diese Adreß-Grenze wird mit vorzugsweise Teilen der Adresse auf der Verbindung 141 verglichen, und wenn die Adresse innerhalb der vorgegebenen Grenze liegt, wird vom Vergleicher 142 über die Leitung 141 die Blockiereinheit 144 freigegeben und die Adresse über die Verbindung 15 dem Speicher 20 in Fig. 1 zugeführt. Auf diese Weise kann im Benutzer-Mode der Zugriff auf einen Teil eines dem betreffenden Benutzerprogramm zugeordneten Segments gesperrt werden.In Fig. 3 Some parts of the MMU14 are shown in more detail. The connection to the bus 11 leads to an address calculator 140, where the data from the bus 11 as an address with a via the connection 19 from the register 18 in Fig. 1 coming address part of higher significance and output via the connection 141. The connection 141 leads to a blocking unit 144 and a comparator 142. A second input of the comparator 142 is connected to the output of a register 32, which is also connected as a register for special functions to the bus 23, which is accessible only in system mode and can be loaded in this system mode with a value for an address boundary. This address boundary is compared with preferably parts of the address on the connection 141, and if the address is within the predetermined limit, the blocking unit 144 is enabled by the comparator 142 via the line 141 and the address via the connection 15 to the memory 20 in Fig. 1 fed. In this way, in the user mode, access to a part of a segment associated with the relevant user program can be blocked.

Eine weitere Sicherung gegen Zugriff auf nicht erlaubte Daten ist in Fig. 4 schematisch dargestellt. Wenn aus dem Speicher 20 in Fig. 1 der Inhalt eines Speicherplatzes ausgelesen und die entsprechenden Daten über die Verbindung 29 abgegeben werden, werden diese einem Vergleicher 42 und einer weiteren Blockiereinheit 40 zugeführt. Der Vergleicher 42 erhält an einem weiteren Eingang Daten aus dem Register 18, das über den Bus 23 geladen wurde. Der Vergleicher 42 prüft bestimmte Teile des Datenworts auf der Verbindung 29 auf Gleichheit mit den vom Register 18 zugeführten Daten. Nur bei Gleichheit wird über die Leitung 43 die Blockiereinheit 40 freigegeben und die Daten auf der Verbindung 45 abgegeben. Diese Daten werden abhängig von entsprechenden Steuersignalen auf nicht gesondert dargestellten Steuerleitungen in ein Datenregister 44 eingeschrieben, das diese Daten dem Bus 11 zuführt, oder in Befehlsregister 46, das diese Daten als Befehl einem nicht dargestellten Befehlsdekoder zuführt.Another safeguard against access to unauthorized data is in Fig. 4 shown schematically. If out of the memory 20 in Fig. 1 the contents of a memory location are read out and the corresponding data are output via the connection 29, these are supplied to a comparator 42 and a further blocking unit 40. The comparator 42 receives at a further input data from the register 18, which has been loaded via the bus 23. The comparator 42 checks certain parts of the data word on the connection 29 for equality with the data supplied by the register 18. Only if equality is over the line 43 the blocking unit 40 is enabled and the data is delivered on the connection 45. These data are written in response to corresponding control signals on control lines not separately shown in a data register 44 which supplies these data to the bus 11, or in command register 46, which supplies this data as a command to a command decoder, not shown.

Wenn vom Bus 11 über das Datenregister 44 Daten in den Speicher 20 in Fig. 1 eingeschrieben werden sollen, gehen diese ebenfalls über die Blockiereinheit 40 und werden dort um Daten entsprechend dem Inhalt des Registers 18 ergänzt und über die Verbindung 29 in den Speicher 20 eingeschrieben. Dadurch wird beim Auslesen dieser Daten in dem zugehörigen Benutzerprogramm die erforderliche Gleichheit mit dem Inhalt des Registers 18 festgestellt. In einem anderen Benutzerprogramm, in dem diese Prüfdaten einen anderen Wert haben, kann also nicht auf Daten eines fremden Benutzerprogramms zugegriffen werden.If from the bus 11 via the data register 44 data in the memory 20 in Fig. 1 are to be written, they also go through the blocking unit 40 and there are supplemented by data according to the contents of the register 18 and written via the connection 29 in the memory 20. As a result, the required equality with the content of the register 18 is determined when reading this data in the associated user program. In another user program in which these test data have a different value, therefore, data from a foreign user program can not be accessed.

In Fig. 5 ist symbolisch die Aufteilung in einen geschützten Systemteil 50 und einen ungeschützten Benutzerteil 60 dargestellt. Im Benutzerteil 60 ist der Zugriff auf einen Stapelspeicher 62 und den Programmzähler 64 freigegeben. Außerdem steht diesem Benutzerteil eine Hälfte des Registers 59 für das Programmstatuswort zur Verfügung. Der andere Teil dieses Registers 59 steht nur dem Systemteil 50 zur Verfügung. Darin kann über Register 57 auf System-Stapelspeicher 570, 571 zugegriffen werden, außerdem über eine Schnittstelle 52 auf den Bus für die Register für spezielle Funktionen, wie ein Register 56 für die Steuerung der Schreibfreigabe in Speicher und das Register 55 für überhaupt den Zugriff auf Speicher sowie das Register 54 für Eingabe/Ausgabe-Operationen und ein Register 53 für einen Koprozessor, der vorzugsweise auf demselben Chip angeordnet ist. Es können noch weitere derartige, nicht dargestellte Register vorhanden sein.In Fig. 5 symbolically the division into a protected system part 50 and an unprotected user part 60 is shown. In the user part 60 access to a stack memory 62 and the program counter 64 is released. In addition, one half of the program status word register 59 is available to this user part. The other part of this register 59 is only available to the system part 50. Therein, system stack 570, 571 can be accessed via register 57, as well as via an interface 52 to the special function register bus 52, such as write enable memory register 56 and general access register 55 Memory and the register 54 for input / output operations and a register 53 for a coprocessor, which is preferably arranged on the same chip. There may be other such registers, not shown.

Der Systembereich 50 mit den Zugriffsmöglichkeiten auf die darin angedeuteten Einheiten ist nur möglich, wenn das Mode-Bit gesetzt ist. Im Benutzer-Bereich ist der Zugriff auf die darin dargestellten Einheiten 62 und 64 möglich, jedoch nicht auf die im Systembereich 50 dargestellten Einheiten.The system area 50 with the access possibilities to the units indicated therein is only possible if the mode bit is set. In the user area, access to the units 62 and 64 shown therein is possible, but not to the units shown in the system area 50.

In Fig. 6 ist ein Beispiel für den Aufbau eines Programmstatusworts 70 dargestellt. Der Abschnitt 71 enthält das Mode-Bit. Im Abschnitt 72 befindet sich ein Bit, mit dessen Hilfe der Programmablauf überprüft werden kann, was insbesondere bei der Erstellung von Programmen wichtig ist. Der Inhalt des Abschnitts 73 dient der Registerauswahl. Mit dem Inhalt des Abschnitts 74 werden Unterbrechungsanforderungen maskiert. Diese Abschnitte gehören zu derjenigen Hälfte des Programmstatusworts, das nur im System-Mode veränderbar ist.In Fig. 6 an example of the structure of a program status word 70 is shown. Section 71 contains the mode bit. Section 72 contains a bit that can be used to check the program sequence, which is especially important when creating programs. The content of section 73 is for register selection. The contents of section 74 mask interrupt requests. These sections belong to that half of the program status word that can only be changed in system mode.

Der Teil nach dem Doppelstrich ist auch im Benutzer-Mode lesbar und veränderbar und enthält zwei Abschnitte 75 und 76, in denen Übertragssignale gespeichert werden, die in der ALU12 in Fig. 1 entstehen. Der Abschnitt 77 kann weitgehend frei vom Benutzerprogramm definiert werden. Im Abschnitt 78 wird die Meldung gespeichert, daß in der ALU12 in Fig. 1 ein Überlauf aufgetreten ist. Der Abschnitt 79 gibt an, daß in der ALU12 ein negatives Ergebnis aufgetreten ist, und der Abschnitt 80 gibt an, daß der Wert Null bei der Berechnung entstanden ist. Da dies nur Signale der ALU12 in Fig. 1 sind, muß der Zugriff auf diese Bereiche auch im Benutzer-Mode möglich sein.The part after the double stroke is also readable and changeable in user mode and contains two sections 75 and 76, in which carry signals stored in the ALU12 in FIG Fig. 1 arise. The section 77 can be largely defined freely by the user program. In section 78, the message is stored that in the ALU12 in Fig. 1 an overflow has occurred. Section 79 indicates that a negative result has occurred in the ALU 12, and section 80 indicates that the value zero has arisen in the calculation. Since this only signals the ALU12 in Fig. 1 are, the access to these areas must also be possible in user mode.

Claims (7)

  1. A chip card with an integrated circuit provided with a control unit in the form of a microprocessor and at least one memory with a plurality of memory locations that can be accessed via addresses, characterized in that the microprocessor includes a plurality of registers of which at least a PSW register contains a program status word in which the value of at least one predetermined mode bit determines a user mode or a system mode, the access to at least parts of the PSW register as well as to all registers and memory segments that are used only in the system mode being inhibited when the mode bit indicates the user mode.
  2. A chip card as claimed in claim 1, in which the PSW register comprises at least a first sub-register and a second sub-register and the first sub-register contains the mode bit as well as information for the selection of one from a plurality of register blocks and can be read and modified only in the system mode.
  3. A chip card as claimed in claim 1 or 2, in which each interrupt request occurring in the user mode triggers a jump to the system mode which switches over the mode bit, and all registers which serve for input/output operations and for the control of control circuits coupled to the microprocessor are used only in the system mode.
  4. A chip card as claimed in any one of the preceding claims, in which at least one of the registers is a first segment address register which contains the address of a memory segment containing data for the current program that is being executed, and at least a further register is a second segment address register which contains the address of a preferably other memory segment and a modification of the first and the second segment address register is inhibited in the user mode.
  5. A chip card as claimed in any one of the preceding claims, in which further registers are address registers of which each one indicates a respective address within a memory zone indicated by the segment address register, each address register having assigned to it an associated auxiliary address register which can be modified only in the system mode and contains at least the most significant bits of the address as well as test information and there being provided a comparator which compares the test information of the auxiliary address register with information read from predetermined bit locations of the addressed memory location and, in the user mode, enables the further transport of the information read from the addressed memory location, or a modification of the information of the addressed memory location, only in the case of correspondence between the test information and the information read out.
  6. A chip card as claimed in any one of the preceding claims, in which from a register which is addressed in the user mode and is used only in the system mode only a predetermined bit pattern, preferably being the bit pattern of a memory location that has not been modified after the manufacture of the integrated circuit is transported.
  7. A chip card as claimed in any one of the preceding claims, in which the registers are connected, over a bus, to the remainder of the circuit of the microprocessor in such a manner that the registers which are used only in the system mode are arranged at the end of the bus that is remote from the microprocessor and an inhibit gate which is controlled only by the mode bit is inserted in the bus and precedes said register.
EP99200263A 1998-02-06 1999-01-29 Smart card with integrated circuit Expired - Lifetime EP0935214B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19804784 1998-02-06
DE19804784A DE19804784A1 (en) 1998-02-06 1998-02-06 Chip card with integrated circuit

Publications (3)

Publication Number Publication Date
EP0935214A2 EP0935214A2 (en) 1999-08-11
EP0935214A3 EP0935214A3 (en) 2002-08-14
EP0935214B1 true EP0935214B1 (en) 2008-12-03

Family

ID=7856868

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99200263A Expired - Lifetime EP0935214B1 (en) 1998-02-06 1999-01-29 Smart card with integrated circuit

Country Status (4)

Country Link
US (2) US6594746B2 (en)
EP (1) EP0935214B1 (en)
JP (1) JP4559552B2 (en)
DE (2) DE19804784A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19804784A1 (en) * 1998-02-06 1999-08-12 Philips Patentverwaltung Chip card with integrated circuit
US6820203B1 (en) * 1999-04-07 2004-11-16 Sony Corporation Security unit for use in memory card
JP2001056848A (en) * 1999-08-19 2001-02-27 Nec Corp Command execution control method for ic card, ic card, and recording medium where ic card program is recorded
JP3710671B2 (en) * 2000-03-14 2005-10-26 シャープ株式会社 One-chip microcomputer, IC card using the same, and access control method for one-chip microcomputer
US20020040438A1 (en) * 2000-05-05 2002-04-04 Fisher David Landis Method to securely load and manage multiple applications on a conventional file system smart card
WO2001097010A2 (en) 2000-06-12 2001-12-20 Koninklijke Philips Electronics N.V. Data processing method and device for protected execution of instructions
US7925892B2 (en) 2003-03-31 2011-04-12 Nxp B.V. Method to grant modification rights for a smart card
US8639946B2 (en) * 2005-06-24 2014-01-28 Sigmatel, Inc. System and method of using a protected non-volatile memory
GB2457062A (en) * 2008-02-01 2009-08-05 Iti Scotland Ltd Tag reader / writer process partitioned for execution between secure and non-secure processing environments
USD691610S1 (en) * 2011-11-07 2013-10-15 Blackberry Limited Device smart card
US8950681B2 (en) 2011-11-07 2015-02-10 Blackberry Limited Universal integrated circuit card apparatus and related methods
USD703208S1 (en) * 2012-04-13 2014-04-22 Blackberry Limited UICC apparatus
US8936199B2 (en) 2012-04-13 2015-01-20 Blackberry Limited UICC apparatus and related methods
USD701864S1 (en) * 2012-04-23 2014-04-01 Blackberry Limited UICC apparatus

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE512542C (en) * 1930-05-01 1930-11-13 Niederrheinische Eisenhuette U Procedure for quickly emptying the petrol earth pipe
JPH03229328A (en) * 1990-02-05 1991-10-11 Matsushita Electric Ind Co Ltd Microprocessor
DE4115152C2 (en) * 1991-05-08 2003-04-24 Gao Ges Automation Org Card-shaped data carrier with a data-protecting microprocessor circuit
US5418956A (en) * 1992-02-26 1995-05-23 Microsoft Corporation Method and system for avoiding selector loads
JP3125196B2 (en) * 1992-06-23 2001-01-15 株式会社シコー技研 Pressure-resistant waterproof seal mechanism
JPH06236447A (en) * 1993-02-09 1994-08-23 Mitsubishi Electric Corp Microcomputer for ic card
FR2713803B1 (en) * 1993-12-07 1996-01-12 Gemplus Card Int Memory card and operating method.
US5491827A (en) * 1994-01-14 1996-02-13 Bull Hn Information Systems Inc. Secure application card for sharing application data and procedures among a plurality of microprocessors
JP3672634B2 (en) * 1994-09-09 2005-07-20 株式会社ルネサステクノロジ Data processing device
JPH08297580A (en) * 1995-04-27 1996-11-12 Canon Inc Input/output control method
JP2625402B2 (en) * 1995-05-24 1997-07-02 日本電気株式会社 Microprocessor
US5701493A (en) * 1995-08-03 1997-12-23 Advanced Risc Machines Limited Exception handling method and apparatus in data processing systems
DE19536169A1 (en) * 1995-09-29 1997-04-03 Ibm Multifunctional chip card
US5754762A (en) * 1997-01-13 1998-05-19 Kuo; Chih-Cheng Secure multiple application IC card using interrupt instruction issued by operating system or application program to control operation flag that determines the operational mode of bi-modal CPU
FR2770327B1 (en) * 1997-10-24 2000-01-14 Sgs Thomson Microelectronics ELECTRICALLY PROGRAMMABLE AND ERASABLE NON-VOLATILE MEMORY INCLUDING A PROTECTIVE AREA FOR READING AND / OR WRITING AND ELECTRONIC SYSTEM INCORPORATING THE SAME
DE19804784A1 (en) * 1998-02-06 1999-08-12 Philips Patentverwaltung Chip card with integrated circuit

Also Published As

Publication number Publication date
JPH11272828A (en) 1999-10-08
US6594746B2 (en) 2003-07-15
US6754794B2 (en) 2004-06-22
US20020169943A1 (en) 2002-11-14
DE59914917D1 (en) 2009-01-15
DE19804784A1 (en) 1999-08-12
JP4559552B2 (en) 2010-10-06
US20030196054A1 (en) 2003-10-16
EP0935214A3 (en) 2002-08-14
EP0935214A2 (en) 1999-08-11

Similar Documents

Publication Publication Date Title
EP0512542B1 (en) Data-protecting microprocessor circuit for portable record carriers, for example credit cards
DE2916658C2 (en)
EP0935214B1 (en) Smart card with integrated circuit
DE3048365C2 (en)
DE2629459C2 (en)
DE69100052T2 (en) INTEGRATED CIRCUIT FOR IMPROVED ACCESS.
DE69404674T2 (en) MEMORY CARD AND METHOD FOR OPERATION
DE19536169A1 (en) Multifunctional chip card
DE3102150A1 (en) "CIRCUIT ARRANGEMENT WITH A CACHE STORAGE FOR A CENTRAL UNIT OF A DATA PROCESSING SYSTEM
DE1499200A1 (en) Data processing system with priority-controlled program interruption
EP1358558B1 (en) Microprocessor circuit for data carriers and a method for organising access to data stored in a memory
DE1269393B (en) Microprogram control unit
DE10324337B4 (en) Computer system and associated method for performing a safety program
DE2054830B2 (en) INFORMATION PROCESSING SYSTEM WITH MEANS OF ACCESS TO MEMORY DATA FIELDS OF VARIABLE LENGTH
DE69602984T2 (en) Method of protecting non-volatile memory areas
DE10164422A1 (en) Method for writing to NV memories in computer architecture, requires data values or data words to be written to specified position of cache-page register of NV memory
EP1352318B1 (en) Microprocessor circuit for portable data carriers
DE19626972A1 (en) Preliminary release method and apparatus for the use of a program protected by an electronic cassette
EP1248200A1 (en) Locking circuit for preventing unauthorized access to a memory of a processor
DE2817757A1 (en) DATA PROCESSING SYSTEM
EP0966711B1 (en) Microcomputer with a memory management unit
EP0890172B1 (en) Solid-state memory device
EP1543411B1 (en) Processor with explicit information on information to be secured in sub-program branches
EP0329966B1 (en) Method for securing secret code data stored in a data memory, and circuitry for carrying out this method
EP0353530A1 (en) Method for differentiating between electronic circuits with non-volatile memories

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V.

Owner name: PHILIPS CORPORATE INTELLECTUAL PROPERTY GMBH

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RIC1 Information provided on ipc code assigned before grant

Free format text: 7G 06K 19/073 A, 7G 07F 7/10 B

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V.

Owner name: PHILIPS CORPORATE INTELLECTUAL PROPERTY GMBH

17P Request for examination filed

Effective date: 20030214

AKX Designation fees paid

Designated state(s): DE FR GB IT

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V.

Owner name: PHILIPS INTELLECTUAL PROPERTY & STANDARDS GMBH

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NXP B.V.

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): DE FR GB IT

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REF Corresponds to:

Ref document number: 59914917

Country of ref document: DE

Date of ref document: 20090115

Kind code of ref document: P

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20090507 AND 20090513

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20090904

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20101007 AND 20101013

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20081203

REG Reference to a national code

Ref country code: FR

Ref legal event code: GC

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20111013 AND 20111019

REG Reference to a national code

Ref country code: FR

Ref legal event code: AU

Effective date: 20120126

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20120315 AND 20120321

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20120705 AND 20120711

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20120927 AND 20121003

REG Reference to a national code

Ref country code: FR

Ref legal event code: AU

Effective date: 20121009

REG Reference to a national code

Ref country code: FR

Ref legal event code: AU

Effective date: 20130402

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20130606 AND 20130612

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 18

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 19

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20171221

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20171222

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20171218

Year of fee payment: 20

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 59914917

Country of ref document: DE

REG Reference to a national code

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20190128

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20190128